BIO2 is coming: what's going to change?

Author: Abe Winters, Security analyst

Security officers at government agencies beware: The BIO2 is coming. What additional measures does your organization need to take to comply? We outline the differences from BIO1.04 so you can prepare for this transition.

What is the BIO?

The Government Information Security Baseline (BIO) aims to bring all Dutch government agencies to a common level of information security. The current version, BIO1.04, is based on the 2017 NEN-ISO/IEC 27001 and 27002. A new version of ISO 27001 and 27002 was published in 2022. This is one of the reasons for developing BIO2.

Based on a review of BIO1.04 and workshops with government agencies, a draft was published. In this article, we compare the current BIO1.04 with the draft of BIO2 and outline the main differences. It should be noted that the BIO2 drafts are still in the draft stage and are subject to change.

High-level differences

Legal embedding via NIS2 implementation.
Organizations covered by the NIS2 directive, including governments, face a duty of care. To implement NIS2 at the government level, it was decided in 2023 to link the delivery of BIO2 to the national legislation that comes into force based on NIS2. Therefore, BIO2 will be legally embedded through the NIS2 implementation in the Cybersecurity Act and soon become mandatory (early 2025). See our practical NIS2 guide for more information on NIS2.

Elimination of basic security levels
Basic security levels (BBNs) will be abolished in BIO2. The evaluation of BIO1.04 found that too much emphasis was placed on classifying individual systems by BBN, and less on overall risk management. To refocus on risk management, BBNs are being dropped.

ISO 27002 from 2017 to 2022
The BIO follows the structure of ISO 27002. This standard received an update at the end of 2022, ISO 27002:2022. This new version brings several changes in both content and structure. Whereas controls were previously organized into 14 chapters, they have now been reduced to the following four chapters:

  • A5: Organizational
  • A6: People
  • A7: Physical
  • A8: Technological

These chapters contain a consolidation of existing controls, plus new controls for new technologies and current threats. For example, Chapter 5 includes a new control on information security for the use of cloud services (5.23) and a control on threat intelligence and analysis (5.7), known as Threat Intelligence.

BIO2 is expected to follow this new structure. In anticipation of BIO2, the government has already published the BIO2 Guide in 2023. This guide aligns BIO with the context and structure of ISO 27002:2022, linking government measures to the chapters and controls in ISO 27002:2022.

Examples of changes

01

A functioning ISMS

The draft BIO2 refers several times to the ISO27k series. For example, Measure 5.35.1 is modified as follows:

  • BIO1.04: There is an information security management system (ISMS) that demonstrably covers the entire Plan-Do-Check-Act cycle in a structured manner.
  • BIO2 Draft: There is a functioning ISMS in accordance with ISO 27001.

Therefore, the measure becomes more specific and explicitly requires an ISMS in accordance with ISO 27001.

02

New and amended government measures

In addition to high-level changes, mandatory government measures have also changed. Chapter five (Organizational) contains the most changed government measures.

Some measures are tighter and/or more specific. For example, where government measure 5.01.02 of BIO1.04 mentions periodic updating of the information security policy, BIO2 specifies it as annual. A similar change is included in government measure 8.08.04. While BIO1.04 states that information systems should preferably be audited annually for "technical compliance with security standards and risks regarding actual security," BIO2 states "at least annually."

03

Attention to responsibilities and roles

There is also an increased focus on responsibilities and roles within information security, particularly in the area of incident response. Government Measure 5.01.01 now states that the following components must be described and established:

  • Responsibilities related to information security,
  • Security of operational technology,
  • Responsibilities related to Business Continuity Management.

04

Management of assets and supply chains

Several new government measures in BIO2 emphasize the importance of asset management. This includes understanding its own information processing systems, as well as understanding suppliers and contracts. This is reflected in the following new government measures:

  • 5.09.01: Establish and maintain an accurate, detailed and current inventory of all assets used for information processing.
  • 5.14.04: Maintain a current record of all systems, web applications, IP addresses and APIs directed to the Internet.
  • 5.14.05: Publicly accessible Web sites shall be reported through the government Internet domain registry.
  • 5.22.02: Maintain a current registry of vendors and contracts entered into.

05

Annual testing of employees for click behavior

BIO2's draft texts include several new government measures related to awareness of cybersecurity risks. This includes both executive and employee knowledge. This is reflected in the following new government measures:

  • 5.10.1: Executives must be able to demonstrate that they have received training that has provided them with sufficient knowledge and skills to recognize cybersecurity risks and assess their impact on the services and/or products the organization provides.
  • 5.10.4: Employees, like executives in 5.10.1, must undergo regular training and education to recognize risks and respond appropriately.
  • 8.07.5: At least annually, users shall be tested for their click behavior.

How can you prepare?

Study the ISO/IEC 27001:2022 and ISO/IEC 27002:2022. Also study the BIO2 Guide. This guide allows you to use government measures from BIO1.04 according to the structure of NEN-EN-ISO/IEC 27002:2022.

If you already have an ISMS compliant with ISO 27001:2022, the transition will not be too great. It is especially important to pay close attention to the new government measures.

Don't have a control framework yet? Then BIO2 combined with the upcoming NIS2 is a great opportunity to start with it. Security consultants from Bureau Veritas Cybersecurity can help and support you in this regard.

In addition, start setting up and maintaining an inventory of:

  • Assets used for information security.
  • All Internet-facing systems, Web applications, IP addresses and APIs.

Sources

About the author

Abe Winters, Security analyst

Abe Winters is a Security analyst at Bureau Veritas Cybersecurity working in the 'Public' market group. He is passionate about cybersecurity and combines a technical background with knowledge of the process side. Currently he mainly performs penetration testing for public sector clients, but also has knowledge of security management with standards such as the ISO 27001.

Abe holds an MSc. in Cyber Security from the University of Twente and in his thesis he researched the prioritization of security controls based on the active threat landscape by sector.

Quote by
Highlight-image

How Bureau Veritas Cybersecurity supports you

As an independent cybersecurity expert, Bureau Veritas Cybersecurity can assist you with all aspects of NIS2, ISO/IEC 27k and the additional BIO measures. We can help you with overall BIO Compliance, as well as specific issues addressed in the (updated) government measures. This includes training your executives and employees to recognize and respond to cybersecurity risks, performing penetration testing, or establishing a control framework and implementing an ISMS in accordance with ISO 27001.

Learn more

Want more information about how Bureau Veritas Cybersecurity can help you with BIO2? Fill out the form and we will contact you within one business day.

USP

Related

BIO Compliance

Gemeente informatiebalie

Bureau Veritas Cybersecurity provides all services for BIO Compliance: assessment and action plan, training and guidance, and testing with audit reports.

NIS2 Boardroom Training

NIS2 Boardroom Session

This 1-day in-company training for management and CISO provides you with sufficient knowledge and skills to assess technical, operational and organizational risk management measures.

Security Maturity Assessment

Security Maturity Assessment

The Security Maturity Assessment is designed to determine the maturity level of your cybersecurity based on the CMM model. This helps identify the next steps to improve your cyber resilience.

Why choose Bureau Veritas Cybersecurity

Bureau Veritas Cybersecurity is your expert partner in cybersecurity. We help organizations identify risks, strengthen defenses and comply with cybersecurity standards and regulations. Our services cover people, processes and technology, ranging from awareness training and social engineering to security advice, compliance and penetration testing.

We operate across IT, OT and IoT environments, supporting both digital systems and connected products. With over 300 cybersecurity professionals worldwide, we combine deep technical expertise with a global presence. Bureau Veritas Cybersecurity is part of the Bureau Veritas Group, a global leader in testing, inspection and certification.